EV Observe - Configure sFlow Monitoring Prerequisites

Last modified on 2022/11/17 10:08

Note: The configuration of network hosts for exporting sFlow packets and samples to the sFlow collector will depend on each host. Contact your hardware integrator or vendor to find out more about the components to be set up.

The sFlow protocol (sampled Flow) is a protocol for exporting flows used on routers and switches for the real-time monitoring and analysis of network data traffic. It uses the concept of flows to capture data on network behavior, such as network traffic source and destination, applications using the network and the bandwidth allocated to these applications.

To use service templates based on the sFlow protocol, specific prerequisites must first be met.

  • You configure these prerequisites once only.
  • This is done in three steps:
    • Configure the sFlow collector to receive information on network traffic
    • Configure the monitored network hosts to send sFlow information to the collector
    • Check that sFlow is working correctly

sFlow network traffic monitoring: Operating principle

Display Steps
sFlow collect data - Operating principle.png
  • (1) sFlow agents: sFlow agents query network hosts (e.g. routers, switches) on a regular basis and process data in packets using packet-sampling technology. Records in the monitored network traffic are sent to the sFlow collector in nfcapd files.
  • (2) sFlow collector (sFlow Collector Storage): This collects the records sent by sFlow agents and stores them in the local database.
  • (3) Box: This retrieves information from the sFlow collector.
  • (4) Monitoring platform: This analyzes sFlow data collected by the Boxes using the NetworkAnalysis-sFlow service template. This displays data in a dashboard and sends alerts in the event of errors or malfunctioning in network peripherals.

Notes

  • The current sFlow protocol version is V5.
  • sFlow default parameters:
    • Sampling rate = 4096
    • Sampling size = 128
    • Maximum datagram size = 1400
    • sFlow collector port = 6343
    • Polling interval = 20
  • To implement sFlow network monitoring, you must define the following for each interface to be monitored:
    • A listening port
    • An access control list (ACL), used to authorize connection between the collector and the interface listening port
    • A destination folder for the interface flow exports

Caution

  • The server dedicated to collecting sFlow exports must not be used as a monitoring box.


Determine sizing requirements for the sFlow collector

Failed to execute the [include] macro. Cause: [Current user [null] doesn't have view rights on document [wiki:Drafts.EV Observe - All Menus.EV Observe - Collect Overview.EV Observe - Collect Prerequisites - sFlow NetFlow - Common Text.WebHome]]. Click on this message for details.

Best Practice

  • Based on your network analysis requirements, you can use a dedicated server for collecting sFlow exports or one of the commissioned Boxes.
  • You can use the same Box to pool the sFlow collector and the Netflow collector.
  • Create a single destination folder for sFlow flow exports. In this folder, you can create one subfolder for each network interface to be monitored by sFlow.
  • To identify the flow export subfolders easily, you should name them using the host name and its IP address.

example  

  • Destination folder ==> /network_analysis/sflow/
  • Export folder for Router A ==> /network_analysis/sflow/RouterA_172.16.10.2
  • Export folder for Router B ==> /network_analysis/sflow/RouterB_192.16.80.1

Procedure: How to configure sFlow monitoring prerequisites

Step 1: Configure the sFlow collector

Failed to execute the [include] macro. Cause: [Current user [null] doesn't have view rights on document [wiki:Drafts.EV Observe - All Menus.EV Observe - Collect Overview.EV Observe - Collect Prerequisites - sFlow NetFlow - Common Text.WebHome]]. Click on this message for details.

Step 2: Configure the network hosts

Note: The configuration of network hosts for exporting packets and samples to the sFlow collector will depend on each host. The procedure includes an example for a switch, HP-220-48G. For other hosts, contact your hardware integrator or vendor to find out more about the components to be set up.

General procedure

1. Log in to the network host where you want to enable sFlow.

2. Perform the steps below to configure sFlow for the network host.

  • Specify the destination for sFlow flows, i.e. IP address and port of the sFlow collector.
  • Define the sampling rate for the network interface (1 to 24).
  • Define the polling interval for collecting interface statistics.

3. Check that sFlow is correctly configured on the network host.
 

Example: Configuration for switch HP-220-48G

  • Log in to switch HP-220-48G.
  • Run the command below to specify the destination of sFlow flows.
    Replace:
    • <IP Address> with the IP address of the sFlow collector
    • <Port> with the collector port

(config)# sflow 1 destination <IP Address> <Port>

example  HP-2920-48G# sflow 1 destination 192.168.238.37 6343

  • Run the command below to define the sampling rate for the switch.
    Replace:
    • <Interface ID> with the network interface ID
    • <Sample every n packets> with the sampling rate, i.e. number of packets

(config)# sflow 1 sampling ethernet <Interface ID> <Sample every n packets>

example  Sample one packet out of every 128 ==> HP-2920-48G# sflow 1 sampling ethernet 47-48 128

  • Define the polling interval for collecting interface statistics.
    Replace:
    • <Interface ID> with the network interface ID
    • <Polling frequency> with the interval in seconds.

(config)# sflow 1 polling ethernet <Interface ID> <Polling frequency>

example  Polling every 30 seconds ==> HP-2920-48G# sflow 1 polling ethernet 47-48 30

  • Run the command below to check the sFlow configuration parameters for the switch.

(config)# show sflow 1 destination

example  HP-2920-48G# show sFlow 1 destination

The following results will be displayed.

Destination Instance: 1
sflow: Enabled
Datagrams Sent: 126822
Destination Address: 192.168.238.37
Receiver Port: 6343
Owner: Administrator, CLI-Owned, Instance 1
Timeout (seconds): 2147403334
Max Datagram Size: 1400
Datagram Version Support:

 

Step 3: Check that the sFlow collector is working correctly

1. Check that the flows exported from each network interface are stored correctly in the sFlow collector.

  • Log in to the sFlow collector.
  • Go to the folder dedicated to the storage of nfcapd exports.
  • Check the presence of files greater than 276 bytes in the following format, nfcapd.YYYYMMddhhmm.

Caution:

  • nfcapd files are periodically created by the sfcapd process even if no data is loaded by sFlow agents. In this case, their size is 276 bytes.
  • To ensure that the sFlow configuration is operational, you must therefore check that file sizes are greater than 276 bytes. This means that they contain data loaded by sFlow agents.

example  Presence of files greater than 276 bytes in the following format, nfcapd.202209181140

2. Go over the steps for configuring sFlow in the event of an error, e.g. missing files.
 

Step 4: Configure the NetworkAnalysis-sFlow service template

1. Deploy one service for each application, source IP and destination IP to be monitored by sFlow.

          Open url.png See the detailed procedure
 

Step 5: Set up monitoring for the sFlow collector

1. Use the modèle-serveur-linux host template that includes the following service templates.

  • CPU
  • LIN-DiskIO
  • LIN-Diskspace
  • LIN-Network_Traffic
  • LIN-RAM
  • LIN-Swap

2. You can also use the following service templates.

  • LIN-DirectorySize: Used to monitor the size of destination folders.
  • Lin-ProcessName: Used to monitor that sfcapd processes are running correctly.

3. Use action templates to restart sfcapd processes if they are interrupted.

Tags:
Powered by XWiki © EasyVista 2022